Group membership filters with mutiple uids

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Dustin Wenz <dustinwenz [at] ebureau.com>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Group membership filters with mutiple uids
Date: Fri, 1 Apr 2016 16:49:58 -0500

I've recently begun using nss-pam-ldapd under FreeBSD as a replacement for 
nss_ldap. It's almost working perfectly, except for one obstacle relating to 
ssh authentication using multiple uids when ssh access is restricted based on 
group membership.

For example, an ldap user like me might have both "dustinwenz" and "dustin" 
uids, but only the first uid is listed as members of groups on the directory 
server. So, when I login as "dustin", nslcd looks for 
"&(objectClass=posixGroup)(|(memberUid=dustin)" and never finds my group 
membership (thus rejecting my ssh connection).

If I remove all group restrictions for ssh, I can successfully login as my 
short uid, and nslcd is then smart enough to translate that short name to the 
primary "dustinwenz". I can see this in the debug messages: username changed 
from "dustin" to "dustinwenz".

Is there any for nslcd to perform that username switch prior to searching for 
group membership?

Thanks,

        - .Dustin
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

Group membership filters with mutiple uids, Dustin Wenz

Re: Group membership filters with mutiple uids, Arthur de Jong
- Re: Group membership filters with mutiple uids, Dustin Wenz
  - Re: Group membership filters with mutiple uids, Arthur de Jong

Prev by Date: RE: pam_authz_search $tty
Next by Date: Re: Group membership filters with mutiple uids
Previous by thread: RE: pam_authz_search $tty
Next by thread: Re: Group membership filters with mutiple uids